## In this issue
1. [2024/859] Novel approximations of elementary functions in ...
2. [2025/254] Garbled Lookup Tables from Homomorphic Secret Sharing
3. [2025/376] Another Look at the Quantum Security of the ...
4. [2025/976] The Large Block Cipher Family Vistrutah
5. [2025/1006] Adding Feeding Forward Back to the Sponge Construction
6. [2025/1068] Efficient Modular Multiplication Using Vector ...
7. [2025/1069] PRESENT Full Round Emulation : Structural Flaws and ...
8. [2025/1070] Zeus: Defending against Fee Stealing and Griefing ...
9. [2025/1071] PICS: Private Intersection over Committed (and ...
10. [2025/1072] How to Model Unitary Oracles
11. [2025/1073] LAPWN: A Lightweight User–Server Authentication ...
12. [2025/1074] Multiparty Distributed Point Functions
13. [2025/1075] Secure and Practical Cold (and Hot) Staking
14. [2025/1076] Weight reduction in distributed protocols: new ...
15. [2025/1077] Shorter VOLE-in-the-Head-based Signatures from ...
16. [2025/1078] A Theoretical Perspective on the Formal ...
17. [2025/1079] Revisiting Discrete Logarithm Reductions
18. [2025/1080] Leftover Hash Lemma(s) Over Cyclotomic Rings
19. [2025/1081] FABLE: Batched Evaluation on Confidential Lookup ...
20. [2025/1082] Treebeard: A Scalable and Fault Tolerant ORAM Datastore
21. [2025/1083] The complexity of the SupportMinors Modeling for ...
22. [2025/1084] How to (not) combine Oblivious Pseudorandom Functions
23. [2025/1085] SmallWood: Hash-Based Polynomial Commitments and ...
24. [2025/1086] Fairness in the Wild: Secure Atomic Swap with ...
25. [2025/1087] Cryptography meets worst-case complexity: Optimal ...
26. [2025/1088] Homomorphic Field Trace Revisited : Breaking the ...
27. [2025/1089] Rugged Pseudorandom Permutations with Beyond- ...
28. [2025/1090] Concrete Treatment of Signal Handshake’s ...
29. [2025/1091] Quantum Computing without the Linear Algebra
30. [2025/1092] OwlC: Compiling Security Protocols to Verified, ...
31. [2025/1093] On the Concrete Security of BBS/BBS+ Signatures
32. [2025/1094] Key Updatable Identity-Based-Signature Schemes
33. [2025/1095] Ideally HAWKward: How Not to Break Module-LIP
34. [2025/1096] CuFDFB: Fast and Private Computation on Non-Linear ...
35. [2025/1097] Oracle-Based Multistep Strategy for Solving ...
36. [2025/1098] Isogeny-based key exchange from orientations of ...
37. [2025/1099] Lattice-Based Accumulator and Application to ...
38. [2025/1100] Tanuki: New Frameworks for (Concurrently Secure) ...
39. [2025/1101] A Note on One Authentication and Key Agreement ...
40. [2025/1102] TEEMS: A Trusted Execution Environment based ...
41. [2025/1103] Universally Composable Succinct Vector Commitments ...
42. [2025/1104] Better GBFV Bootstrapping and Faster Encrypted Edit ...
43. [2025/1105] Low-cost anonymous reputation update for IoT ...
44. [2025/1106] b4M: Holistic Benchmarking for MPC
45. [2025/1107] Early Stopping is Cheap
46. [2025/1108] Laconic PSI on Authenticated Inputs and Applications
47. [2025/1109] Kahrobaei--Koupparis DSS: universal forgery
48. [2025/1110] A Framework for Compiling Custom Languages as ...
49. [2025/1111] SEAF: Secure Evaluation on Activation Functions ...
50. [2025/1112] Hydrangea: Optimistic Two-Round Partial Synchrony ...
51. [2025/1113] Computational Attestations of Polynomial Integrity ...
## 2024/859
* Title: Novel approximations of elementary functions in zero-knowledge proofs * Authors: Kaarel August Kurik, Peeter Laud
* [Permalink](
https://eprint.iacr.org/2024/859)
* [Download](
https://eprint.iacr.org/2024/859.pdf)
### Abstract
In this paper, we study the computation of complex mathematical functions in statements executed on top of zero-knowledge proofs (ZKP); these functions may include roots, exponentials and logarithms, trigonometry etc. While existing approaches to these
functions in privacy-preserving computations (and sometimes also in general-purpose processors) have relied on polynomial approximation, more powerful methods are available for ZKP. In this paper, we note that in ZKP, all algebraic functions are exactly
computable. Recognizing that, we proceed to the approximation of transcendental functions with algebraic functions. We develop methods of approximation, instantiate them on a number of common transcendental functions, and benchmark their precision and
efficiency in comparison with best polynomial approximations.
## 2025/254
* Title: Garbled Lookup Tables from Homomorphic Secret Sharing
* Authors: Liqiang Liu, Tianren Liu, Bo Peng
* [Permalink](
https://eprint.iacr.org/2025/254)
* [Download](
https://eprint.iacr.org/2025/254.pdf)
### Abstract
Garbled Circuit (GC) is a fundamental tool in cryptography, especially in secure multiparty computation. Most garbling schemes follow a gate-by-gate paradigm. The communication cost is proportional to the circuit size times the security parameter $\
lambda$.
Recently, Heath, Kolesnikov and Ng (Eurocrypt 2024) partially transcend the circuit size barrier by considering large gates. To garble an arbitrary $n$-input $m$-output gate, their scheme requires $O(nm\lambda) + 2^nm$ bits of communication. The
security relies on circular correlation robust hash functions (CCRH).
We further improve the communication cost to $O(n \lambda_{\sf DCR} + m\lambda)$, removing the exponential term. The computation cost is $O(2^n (\lambda_{\sf DCR})^2)$, dominated by $O(2^nn)$ exponentiations. Our construction is built upon recent
progress in DCR-based Homomorphic Secret Sharing (HSS), so it additionally relies on the decisional composite residuosity (DCR) assumption.
As an intermediate step, we construct programmable distributed point functions with decomposable keys, relying on the DCR assumption. Previously, such primitive can only be constructed from multilinear maps or sub-exponential lattice assumptions.
## 2025/376
* Title: Another Look at the Quantum Security of the Vectorization Problem with Shifted Inputs
* Authors: Paul Frixons, Valerie Gilchrist, Péter Kutas, Simon-Philipp Merz, Christophe Petit
* [Permalink](
https://eprint.iacr.org/2025/376)
* [Download](
https://eprint.iacr.org/2025/376.pdf)
### Abstract
Cryptographic group actions provide a basis for simple post-quantum generalizations of many cryptographic protocols based on the discrete logarithm problem (DLP). However, many advanced group action-based protocols do not solely rely on the core group
action problem (the so-called vectorization problem), but also on variants of this problem, to either improve efficiency or enable new functionalities. In particular, the security of the CSI-SharK threshold signature protocol relies on the hardness of
the Vectorization Problem with Shifted Inputs where (in DLP formalism) the adversary not only receives $g$ and $g^x$, but also $g^{x^c}$ for multiple known values of $c$. A natural open question is whether the extra data provided to the adversary in this
variant allows them to solve the underlying problem more efficiently.
In this paper, we revisit the concrete quantum security of this problem. We start from a quantum multiple hidden shift algorithm of Childs and van Dam, which to the best of our knowledge was never applied in cryptography before. We specify algorithms
for its subroutines and we provide concrete complexity estimates for both these subroutines and the overall algorithm.
We apply our analysis to the CSI-SharK protocol. In prior analyses based on Kuperberg's algorithms, group action evaluations contributed to a significant part of the overall T-gate cost. For CSI-SharK suggested parameters, our new approach requires
significantly fewer calls to the group action evaluation subroutine, leading to significant complexity improvements overall. We describe two instances of our approach, one which lowers the T-gate complexity, and the other the QRAM requirements. We
obtain significant speedups -- even in both metrics simultaneously -- and we quantify the degradation of the quantum security of the protocol when the number of curves in the public key increases.
## 2025/976
* Title: The Large Block Cipher Family Vistrutah
* Authors: Roberto Avanzi, Bishwajit Chakraborty, Eik List
* [Permalink](
https://eprint.iacr.org/2025/976)
* [Download](
https://eprint.iacr.org/2025/976.pdf)
### Abstract
Vistrutah is a large block cipher with block sizes of 256 and 512 bits. It iterates a step function that applies two AES rounds to each 128-bit block of the state, followed by a state-wide cell permutation. Like Simpira, Haraka, Pholkos, and ASURA,
Vistrutah leverages AES instructions to achieve high performance.
For each component of Vistrutah, we conduct a systematic evaluation of functions that can be efficiently implemented on both Intel and Arm architectures. We therefore expect them to perform efficiently on any recent vector instruction set architecture (
ISA) with AES support. Our evaluation methodology combines latency estimation on an abstracted vector ISA with security analysis. The goal is to maximize the ratio
of "bits of security per unit of time", i.e., to achieve the highest security for a given performance target, or equivalently, the best performance for a given security level within this class of designs. Implementations confirm the accuracy of our
latency model. Vistrutah even performs significantly better than Rijndael-256-256.
We support our security claims with a comprehensive ad-hoc cryptanalysis. An isomorphism between Vistrutah-512, the 512-bit wide variant, and the AES, allows us to also leverage the extensive cryptanalysis of AES and apply it to Vistrutah-512.
A core design principle is the use of an inline key schedule: all round keys are computed during each encryption or decryption operation without requiring memory storage. In fact, rekeying has no associated overheads. Key schedules like the AES’s must
precompute and store round keys in memory for acceptable performance. However, in 2010 Kamal and Youssef showed this makes cold boot attacks more effective. Vistrutah’s approach minimizes leakage to at most one value during context switches.
Furthermore, expensive key schedules reduce key agility, limiting the design of modes of operation.
Vistrutah is particularly well-suited for Birthday-Bound modes of operation, including Synthetic IV modes and Accordion modes for 256-bit block ciphers. It can serve as a building block for compression functions (such as Matyas-Meyer-Oseas) in wide
Merkle-Damgard hash functions. Additionally, it can implement "ZIP" wide pseudo-random functions as recently proposed by Florez-Gutierrez et al. in 2024.
Finally, we present short, i.e., reduced-round versions of Vistrutah which are analyzed taking into account the restrictions posed on attackers by specific modes of operation. In particular, we model the use of the block ciphers in Hash-Encrypt-Hash (HEH)
constructions such as HCTR2 as well as in ForkCiphers. These short versions of Vistrutah can be used to accelerate modes of operation without sacrificing security.
## 2025/1006
* Title: Adding Feeding Forward Back to the Sponge Construction
* Authors: Chun Guo, Kai Hu, Yanhong Fan, Yong Fu, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2025/1006)
* [Download](
https://eprint.iacr.org/2025/1006.pdf)
### Abstract
Avoiding feeding forward seems to be a major goal of the sponge construction. We make a step back and investigate adding feeding forward back to sponge. The obtained sponge-with-feeding-forward construction has a number of benefits: (1) In the random
permutation model, its preimage and second preimage security bounds are much better than the standard sponge with the same capacity, while collision and indifferentiability security bounds are comparable; (2) Its collision and (second) preimage security
can be reduced to well-defined properties of the underlying permutation, i.e., correlation intractability w.r.t. certain family of evasive relations.
We further incorporate several somewhat new ideas to form detailed hash and XOF constructions SpongeFwd: (1) Feeding-forward is only applied to the capacity part, and the final output(s) is the capacity part (with the rate part discarded). In this way,
when $c$ equals the primary hash output size $h$, a single permutation-call suffices for squeezing. This also simplifies the underlying evasive relations for the reduction security proof. (2) We replace the hash IV with the first message block to have
the best possible efficiency. (3) We employ a parallel structure to define an XOF variant. (4) We use HAIFI-style counter inputs to achieve both length-independent second-preimage security and domain separation for XOF.
The better (second) preimage security enables constructing 512-bit output hash function from Keccak-p[800]: with 512-bit capacity, its collision and (second) preimage security bounds are the same as the standard SHA-3-512, while its hardware area is
reduced by roughly 38% (according to our preliminary estimation).
## 2025/1068
* Title: Efficient Modular Multiplication Using Vector Instructions on Commodity Hardware
* Authors: Simon Langowski, Srini Devadas
* [Permalink](
https://eprint.iacr.org/2025/1068)
* [Download](
https://eprint.iacr.org/2025/1068.pdf)
### Abstract
Modular arithmetic is the computational backbone of many cryptographic and scientific algorithms.
In particular, modular multiplication in a large prime field is computationally expensive and dictates the runtime of many algorithms. While it is relatively easy to utilize vectorization to accelerate batches of independent modular multiplications, our
goal is to reduce the latency of a $\textit{single}$ modular multiplication under a generic prime using vectorization, while maintaining constant-time execution.
We investigate the technique of Residue Number System (RNS) Montgomery modular multiplication. We first contribute a unified view of algorithmic optimizations in prior art. This view enables us to further reduce the number of elementwise multiplications
in an algorithm with a simplified structure that we prove correct.
We explore AVX512 acceleration on CPUs, and show how to map our algorithm to vector instructions. We implement our algorithm in C++ and achieve $\approx 4 \times$ speedup, which is nearly maximal, for $1024+$-bit primes on a CPU with AVX512 over
optimized library implementations of standard Montgomery modular multiplication algorithms. GPUs contain vector cores that each support tens of physical threads. We show how to intelligently map our algorithm to threads in a vector core, ``
overparallelizing'' to minimize latency. We show substantial speedups over a commercial library implementation of standard modular multiplication algorithms across a wide range of prime sizes.
## 2025/1069
* Title: PRESENT Full Round Emulation : Structural Flaws and Predictable Outputs
* Authors: Gopal Singh
* [Permalink](
https://eprint.iacr.org/2025/1069)
* [Download](
https://eprint.iacr.org/2025/1069.pdf)
### Abstract
The Internet of Things (IoT) has become integral to modern life, enabling smart cities, healthcare, and industrial automation. However, the increasing connectivity of IoT devices exposes them to various cyber threats, necessitating robust encryption
methods. The PRESENT cipher, a lightweight block cipher, is well-suited for resource-constrained IoT environments, offering strong security with minimal computational overhead. This paper explores the application of deep learning (DL) techniques in
cryptanalysis, specifically using an Aggregated Perceptron Group (APG) Model, which employs a Multi-Layer Perceptron (MLP) to predict input-output relations for each round of the PRESENT cipher’s encryption, excluding the key. This approach focuses
solely on emulating the cipher's Substitution Permutation Network (SPN), capturing its essential structure and revealing the structural flaws in the way data is transformed through rounds. The models are chained together to generate the final ciphertext
for any 64-bit plaintext with high accuracy, reducing the probability form a random guess of $2^{64}$. The results demonstrate the potential of DL models in cryptanalysis, providing insights into the security of lightweight ciphers in IoT communications
and highlighting the practicality of deep learning for cryptographic analysis on standard computing systems.
## 2025/1070
* Title: Zeus: Defending against Fee Stealing and Griefing Attacks in Multi-Hop Payments
* Authors: JIngyu Liu, Yingjie Xue, Di Wu, Jian Liu, Xuechao Wang
* [Permalink](
https://eprint.iacr.org/2025/1070)
* [Download](
https://eprint.iacr.org/2025/1070.pdf)
### Abstract
Payment Channel Networks (PCNs) are the most scalable and trust-minimized solution to Bitcoin's scalability challenges. Within PCNs, connected payer and payee can make arbitrary off-chain transactions through multi-hop payments (MHPs) over payment
channel paths, while intermediate relays charge relay fees by providing liquidity.
However, current MHP protocols face critical security threats including fee-stealing attacks and griefing attacks. In this paper, we identify new fee-stealing attacks targeting most existing MHP protocols. Second, we prove that eliminating griefing
attacks in current MHP protocols is impossible by reducing the problem to fair secret exchange. Finally, we introduce Zeus, the first Bitcoin-compatible MHP protocol that is secure against fee-stealing attacks and offers bounded griefing protection
against $k$-cost-sensitive adversaries—those who only launch griefing attacks when the expected damage exceeds a $k$ fraction of their own cost. These guarantees are established through rigorous proofs in the Global Universal Composability (GUC)
framework. Our comprehensive evaluation demonstrates that Zeus reduces worst-case griefing damage to 28\% and 75\% compared to MHP schemes such as AMHL~(NDSS'19) and Blitz~(USENIX SEC'21), respectively. Our results further show that, even under the most
adverse configurations within the Lightning Network, Zeus imposes costs on adversaries that are at least ten times greater than their potential damage.
## 2025/1071
* Title: PICS: Private Intersection over Committed (and reusable) Sets
* Authors: Aarushi Goel, Peihan Miao, Phuoc Van Long Pham, Satvinder Singh
* [Permalink](
https://eprint.iacr.org/2025/1071)
* [Download](
https://eprint.iacr.org/2025/1071.pdf)
### Abstract
Private Set Intersection (PSI) enables two parties to compute the intersection of their private sets without revealing any additional information. While maliciously secure PSI protocols prevent many attacks, adversaries can still exploit them by using
inconsistent inputs across multiple sessions. This limitation stems from the definition of malicious security in secure multiparty computation, but is particularly problematic in PSI because: (1) real-world applications---such as Apple’s PSI protocol
for CSAM detection and private contact discovery in messaging apps---often require multiple PSI executions over consistent inputs, and (2) the PSI functionality makes it relatively easy for adversaries to infer additional information.
We propose {\em Private Intersection over Committed Sets (PICS)}, a new framework that enforces input consistency across multiple sessions via committed sets. Building on the state-of-the-art maliciously secure PSI framework (i.e., VOLE-PSI [EUROCRYPT
2021]), we present an efficient instantiation of PICS % in the random oracle model using lightweight cryptographic tools. We implement our protocol to demonstrate concrete efficiency. Compared to VOLE-PSI, for input sets of size $2^{24}$, our
communication overhead is as low as $1.1\%$. Our end-to-end performance overhead is $130\%$ in the LAN setting and decreases to $80\%-10\%$ in the WAN setting with bandwidths ranging from $200$ to $5$ Mbps.
## 2025/1072
* Title: How to Model Unitary Oracles
* Authors: Mark Zhandry
* [Permalink](
https://eprint.iacr.org/2025/1072)
* [Download](
https://eprint.iacr.org/2025/1072.pdf)
### Abstract
We make the case for modeling unitary oracles by allowing for controlled access to the oracle as well as its conjugate transpose (inverse), but also its conjugate and transpose. Controlling and conjugate transposes are common if even standard, but
conjugates and transposes appear to be non-standard. In order to justify our modeling, we give several formal examples of what goes wrong or is missed when using a more restrictive modeling. We also argue that our model is the "right" level of
granularity, and that other transformations likely do not correspond to efficient computation. We also discuss other modeling choices, such as ancillas and approximation error.
Through our exploration, we uncover interesting phenomena. Examples include an attack on the recent pseudorandom unitary construction of Ma and Huang (STOC'25) if used incorrectly as a publicly evaluatable unitary, and a quantum complexity-theoretic
separation that follows from a purely classical separation.
## 2025/1073
* Title: LAPWN: A Lightweight User–Server Authentication Protocol for Wireless Networks
* Authors: Sajjad Alizadeh, Reza Hooshmand
* [Permalink](
https://eprint.iacr.org/2025/1073)
* [Download](
https://eprint.iacr.org/2025/1073.pdf)
### Abstract
The Internet of Things (IoT) is composed of interconnected devices that exchange data over a network,
enabling applications in healthcare, transportation, and smart environments. As IoT ecosystems expand,
ensuring security and privacy remains a critical challenge. Many IoT devices rely on wireless
networks for data transmission, making them vulnerable to eavesdropping, tracking, and tampering.
This highlights the need for robust authentication mechanisms. To address these concerns, numerous
authentication protocols have been proposed. However, many fail to ensure adequate security against
both passive and active attacks. In this research, we introduce LAPWN, a lightweight protocol for
user–server communication, specifically designed for constrained environments, ensuring a balance
between security and efficiency. The proposed protocol is implemented as a fully functional Python
application, demonstrating its practical usability and evaluating its efficiency in real-world scenarios.
To validate its security, we performboth informal and formal analyses, utilizing Scyther, ProVerif, and
the Real-or-Random (RoR) model. The results confirm that LAPWN provides a secure, lightweight,
and efficient authentication solution with low computational and communication overhead. Furthermore,
performance evaluations show that it surpasses existing authentication protocols, making it a
highly effective solution for secure user–server interactions in constrained environments.
## 2025/1074
* Title: Multiparty Distributed Point Functions
* Authors: Aarushi Goel, Mingyuan Wang, Zhiheng Wang
* [Permalink](
https://eprint.iacr.org/2025/1074)
* [Download](
https://eprint.iacr.org/2025/1074.pdf)
### Abstract
We present the first construction of multiparty distributed point functions based on one-way functions, where the share sizes remain sublinear in the domain size and grow {\em only polynomially} with the number of parties. In contrast, existing
multiparty distributed point function constructions in Minicrypt have share sizes that grow {\em exponentially} with the number of parties.
## 2025/1075
* Title: Secure and Practical Cold (and Hot) Staking
* Authors: Mario Larangeira
* [Permalink](
https://eprint.iacr.org/2025/1075)
* [Download](
https://eprint.iacr.org/2025/1075.pdf)
### Abstract
The stake delegation technique is what turns the general Proof of Stake (PoS) into a practical protocol for a large number of participants, ensuring the security of the distributed system, in what is known as Delegated PoS (DPoS). Karakostas et al. (SCN
20) formalized the delegation method paving the way for a whole industry of stake pools by proposing a formal definition for wallet as a universal composable (UC) functionality and introducing a corresponding protocol. On the other hand, a widely used
technique named hot/cold wallet was formally studied by Das et al. (CCS ’19 and ’21), and Groth and Shoup (Eurocrypt ’22) for different key derivation methods in the Proof of Work (PoW) setting, but not PoS. Briefly, while hot wallets are exposed
to the risks of the network, the cold wallet is kept offline, thus more secure. However this may impair some capabilities given that the cold wallet is kept indefinitely offline. It is straightforward to observe that this “double wallet” design is
not naturally portable to the setting where delegation is paramount, i.e., DPoS. This work identifies challenges for PoS Hot/Cold Wallet and proposes a secure and practical protocol.
## 2025/1076
* Title: Weight reduction in distributed protocols: new algorithms and analysis * Authors: Anatoliy Zinovyev
* [Permalink](
https://eprint.iacr.org/2025/1076)
* [Download](
https://eprint.iacr.org/2025/1076.pdf)
### Abstract
We study the problem of minimizing the total weight of (potentially many) participants of a distributed protocol, a necessary step when the original values are large but the scheme to be deployed scales poorly with the weights. We assume that $\alpha$
fraction of the original weights can be corrupted and we must output new weights with at most $\beta$ adversarial fraction, for $\alpha < \beta$. This problem can be viewed from the prism of electing a small committee that does the heavy work, a powerful
tool for making distributed protocols scalable. We solve the variant that requires giving parties potentially multiple seats in the committee and counting each seat towards the cost of the solution. Moreover, we focus on the ``deterministic'' version of
the problem where the computed committee must be secure for any subset of parties that can be corrupted by the adversary; such a committee can be smaller than a randomly sampled one in some cases and is useful when security against adaptive corruptions
is desired but parties in the sub-protocol speak multiple times.
Presented are new algorithms for the problem as well as analysis of prior work. We give two variants of the algorithm Swiper (PODC 2024), one that significantly improves the running time without sacrificing the quality of the output and the other
improving the output for a reasonable increase in the running time. We prove, however, that all known algorithms, including our two variants of Swiper, have worst case approximation ratio $\Omega(n)$. To counter that, we give the first polynomial time
algorithm with approximation factor $n / \log^2 n$ and also the first sub-exponential time exact algorithm, practical for some real-world inputs. Of theoretical interest is another polytime algorithm that we present, based on linear programming, whose
output is no worse than an optimal solution to the problem with slightly different parameters.
We implemented and tested previous and new algorithms, comparing them on the stake distributions of popular proof-of-stake blockchains, and found that our second variant of Swiper computes solutions extremely close to the optimal, confirmed by our exact
algorithm.
## 2025/1077
* Title: Shorter VOLE-in-the-Head-based Signatures from Vector Semi-Commitment * Authors: Seongkwang Kim, Byeonghak Lee, Mincheol Son
* [Permalink](
https://eprint.iacr.org/2025/1077)
* [Download](
https://eprint.iacr.org/2025/1077.pdf)
### Abstract
The VOLE-in-the-Head (VOLEitH) paradigm transforms VOLE-based zero-knowledge proofs into post-quantum signature schemes by allowing public verification. We introduce reduced VOLE-in-the-Head (rVOLEitH), which incorporates the Vector Semi-Commitment (VSC)
technique. VSC, originally developed for MPC-in-the-Head (MPCitH) schemes, reduces commitment size while maintaining security by relaxing the binding property. We adapt the ideal cipher version of VSC (IC-VSC) into the VOLEitH framework, leading to a
reduction in signature size. Our security analysis proves that rVOLEitH achieves existential unforgeability under chosen-message attacks (EUF-CMA) in the ideal cipher model. Compared to existing VOLEitH-based signatures, our approach reduces signature
size by up to 6.0\% while improving computational efficiency.
Furthermore, we analyze the impact of eliminating individual seed commitments and demonstrate a practical attack against a recently proposed VOLEitH variant that lacks such commitments. Our results establish rVOLEitH as an optimized and secure
alternative for post-quantum signatures, improving both efficiency and security in the VOLEitH paradigm.
## 2025/1078
* Title: A Theoretical Perspective on the Formal Verification of IoT Protocols Using LTL and Rewriting Logic in Maude
* Authors: Delia-Iustina Grigoriță
* [Permalink](
https://eprint.iacr.org/2025/1078)
* [Download](
https://eprint.iacr.org/2025/1078.pdf)
### Abstract
As Internet of Things (IoT) systems become increasingly complex, verifying communication protocols is essential to guarantee their security and correctness. This paper introduces a brief introduction to the theoretical concepts of how to use formal
techniques, LTL and rewriting logic within the Maude system to verify the security and proper behavior of the protocols. While rewriting logic explains how various events occur over time, LTL explains how a property can be formulated. This theoretical
perspective is intended to inform future applications and research.
## 2025/1079
* Title: Revisiting Discrete Logarithm Reductions
* Authors: Maiara F. Bollauf, Roberto Parisella, Janno Siim
* [Permalink](
https://eprint.iacr.org/2025/1079)
* [Download](
https://eprint.iacr.org/2025/1079.pdf)
### Abstract
A reduction showing that the hardness of the discrete logarithm ($\mathsf{DL}$) assumption implies the hardness of the computational Diffie-Hellman ($\mathsf{CDH}$) assumption in groups of order $p$, where $p - 1$ is smooth, was first presented by
den Boer [Crypto, 88].}
We also consider groups
of prime order $p$, where $p - 1$ is somewhat smooth (say, every prime $q$ that divides $p - 1$ is less than $2^{100}$).
Several practically relevant groups satisfy this condition.
1. We present a concretely efficient version of the reduction for such groups.
In particular, among practically relevant groups, we obtain the most efficient and tightest reduction in the literature for BLS12-381, showing that $\mathsf{DL}$ = $\mathsf{CDH}$.
2. By generalizing the reduction, we show that in these groups the $n$-Power $\mathsf{DL}$ ($n$-$\mathsf{PDL}$) assumption implies $n$-Diffie-Hellman Exponent ($n$-$\mathsf{DHE}$) assumption, where $n$ is polynomial in the security parameter.
On the negative side, we show there is no generic reduction, which could demonstrate that $n$-$\mathsf{PDL}$ implies the $n$-Generalized Diffie-Hellman Exponent ($n$-$\mathsf{GDHE}$) assumption.
This is in stark contrast with the algebraic group model, where this implication holds.
## 2025/1080
* Title: Leftover Hash Lemma(s) Over Cyclotomic Rings
* Authors: Katharina Boudgoust, Oleksandra Lapiha
* [Permalink](
https://eprint.iacr.org/2025/1080)
* [Download](
https://eprint.iacr.org/2025/1080.pdf)
### Abstract
In this work, we propose a novel systematic approach for obtaining leftover hash lemmas (LHLs) over cyclotomic rings. Such LHLs build a fundamental tool in lattice-based cryptography, both in theoretical reductions as well as in the design of
cryptographic primitives. The scattered set of prior works makes it difficult to navigate the landscape and requires a substantial effort to understand the mathematical constraints under which the LHL holds over cyclotomic rings. This is especially
painful if one’s given setting does not fit exactly into prior studies.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)